Proptech: Building and managing a smarter future in a post-COVID-19 world – cybersecurity risks

When buildings adopt proptech, they are simultaneously creating more interconnected and intuitive systems with a goal to improve both the user experience and wider business outcomes. Such buildings are often termed “smart buildings”.

For example, a smart building, and the businesses within it, could use integrated systems and sensors to monitor real-world or real-time events, including to:

• Monitor foot traffic – Technology could be used in a building to allow a business to identify the number of people in the building to predict popular office “working” days or more heavily occupied floors. Tenants and owners can optimise building spaces and manage costs by limiting electricity, air-conditioning and cleaning services within areas where there are lower rates of occupation. Such data could also be valuable in making future occupancy decisions, and in lease negotiations.
• Manage security – An owner may integrate technologies to bolster access controls and surveillance within a building. Such controls could be used to either supplement or replace traditional modes of security within buildings (for example, the need for a security officer on the ground floor of a building).
• Identify risks within buildings – Using technology, such as AI systems, to identify potential work, health and safety risks within buildings (for example, to detect viruses or to identify that there has been a spillage of water on a particular floor).
• Manage technology infrastructure and predict trends – Owners and tenants may use proptech to predict wider business trends and to improve the experience of occupants. For example, a proptech building may be able to identify the busy times within a building and to respond intuitively (for example, to have more lifts in operation during peak periods).

The above benefits are not without risks. Such risks need to be carefully navigated to ensure that proptech operates as intended and is legally compliant. The focus of this edition of our proptech series is on the cybersecurity risks associated with using technologies in a property context.

Cyber risks that come from proptech

As with any technology system, properties with technology components are vulnerable to hackers and other criminal actors. If hackers are able to infiltrate a building’s or business’ systems (or their associated datasets) they have the potential to cause significant harm. They may, for example, be able to disable or interrupt an electricity source, gain control of access gateways within buildings or gain unauthorised access to data. The nature of the damage that may be caused due to cybersecurity attacks will increase with respect to buildings that house critical infrastructure or valuable or sensitive datasets, such as government or financial services data.

Owners and tenants may also expose themselves to ransomware attacks and demands of payment in order to remedy the cybersecurity attack.

Reputationally, a cybersecurity attack can cause significant damage (particularly brand damage) for those affected by it. For building owners, this could lead to tenants not renewing their lease agreements and opting to relocate to a more secure building.

How building owners, operators and tenants can mitigate and manage proptech risks

There are several proactive steps that building owners, tenants and operators can take to manage and mitigate the cybersecurity risks associated with the integration and use of technologies within properties, including:

1. Investing in secure and robust technologies: To minimise the risk of data theft and hacking, organisations are encouraged to invest in systems that are secure and reliable and that are regularly updated to respond to new cybersecurity risks.
2. Compliance with legislation and relevant policies: Organisations will need to ensure that they comply with all relevant legislation, including ensuring that any personal information stored within buildings or collected through proptech systems is collected, handled and protected in accordance with all applicable privacy legislation.  Where applicable (for example, for responsible entities of critical infrastructure assets), organisations also need to comply with the Security of Critical Infrastructure Act 2018 (Cth), including having a risk management program in place and complying with the mandatory cyber-security incident notification requirements under this Act.  Government agencies should also comply with all relevant government security policies. The policies that apply will depend on the State or Jurisdiction concerned.
3. Systems and processes: Organisations should ensure that they have robust systems, policies and processes in place to protect technology systems and to mitigate the damage caused by a potential cybersecurity attack. Optimally, there should be off-site systems that allow a business to operate from a separate server if the building is subject to an attack.
4. Cyber response and business continuity plans: Organisations should have and maintain a cybersecurity response plan, as well as a business continuity plan. All relevant personnel should be trained in the application of these plans and what to do in the event of an attack.
5. Monitor risk: Organisations should regularly review and test technology systems within buildings to monitor any potential cybersecurity gaps and to ensure that proptech is operating effectively. They should also review (and as necessary update) their cybersecurity response plans and procedures to ensure that their plans and procedures are up to date and reflect any potential new cybersecurity risks. As cybersecurity risks, such as hacking, become more sophisticated, and risk-exposure adjusts over time, owners and tenants must implement sophisticated risk review and control mechanisms to place themselves in the best position to counter any potential attack.
6. Insurance: Owners and occupants should consider effecting and maintaining appropriate insurances to cover cybersecurity risks, for example, cyber insurance. It is recommended that organisations consider the scope of their existing insurance policies to consider whether cybersecurity related claims and losses in a proptech context are sufficiently covered.
7. Contractual provisions: Landlords and tenants should embed robust contractual provisions relating to the proptech within lease agreements, including making it clear who is responsible for the maintenance and testing of technologies within buildings and the collection and storage of personal information. The lease agreement should also clearly record the party who bears the liability for potential cybersecurity (or broader security) breaches.

Terms and conditions (including security provisions) should also be added to technology contracts for the licensing, development and integration of technologies within buildings and the maintenance of such technologies. Where relevant (for example, for software support contracts) measurable service levels should be added to contracts to ensure the prompt and timely response and resolution of cybersecurity issues. We will discuss in more detail contractual provisions in a proptech context in a later part of this series.